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ABSTRACT 



Four methods for proving equivalence of programs by induction are 
described and compared. They are recursion induction, structural in- 
duction, y-rule induction, and truncation induction. McCarthy's for- 
malism for conditional expressions as function definitions is used and 
reinterpreted in view of Park's work on results in lattice theory as re- 
lated to proofs about programs. The possible application of this work 
to automatic program verification is commented upon. 
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Introduction 

Work on compilers, code optimizers, language definitions, and de- 
bugging systems often requires some notion of correctness of a program 
or of the equivalence of two programs. To determine the correctness of 
a compiler it is necessary to prove that the compilation process pre- 
serves meaning of programs, so that executions of a source language pro- 
gram and of its corresponding object language program produce identical 
results for all input. In optimizing a program it must be true that the 
transformations made preserve the program meaning in the same sense. 
Since there can be no general procedure for testing equivalence of pro- 
grams [9] , we must try to find partial decision procedures for this prob- 
lem. For example, it can be shown that two programs are equivalent if a 
corresponding statement of first order logic is a theorem [4] . Or, in 
examining programs which operate on structured data, equivalence might be 
proved by an inductive argument based on the degree of complexity of the 
structured data [6]. 

Rules of this last type, i.e. rules with some induction step in them, 
will be the subject of this thesis. Several such methods are now known. 
Two of them, recursion induction and structural induction have been de- 
fined rather informally. Two others, application of a rule of inference, 
the u-rule, and truncation induction, are somewhat more formally defined. 
All of these methods can be understood in terms of certain results of 
lattice theory as described by Park [8] . By using this information and 
by studying proofs by the various techniques we will explore and clarify 
the relationships between these induction rules. 
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Chapter 1. 

1. 1. Notation 

Our language for describing functions will be that of McCarthy [5]. 
The set of forms written in terms of the set of primitive functions and 
predicates, ,T, will be denoted by C('^<). The forms in C(^<) are: 

if F is in ^, then F is in C('j) 

if f and g are in C(^>), then f°g is in C(J<) [composition] 

if p and q are in C(^) then p A q, p V q, and -i p are in C( Jt) 

if p,f and g are in C(^), (where p is a predicate), then the 
form (if p then f else g) is in C(Q<) 

In general the function and predicate symbols will be uninterpreted, par- 
ticularly in definitions, but there will be examples of proofs for both in- 
terpreted and uninterpreted forms. Also, it is generally assumed that the 
constant functions T,F € C(J«) and that the primitive predicates and func- 
tions are total. 

A function definition is a function name, say f, followed by = and 
then some f orm C in the class C(^). The function name itself may appear 
on the right hand side, in which case the definition is recursive. C(f) 
represents a conditional form which contains the function name f . The 
function name, f, can be considered to be a variable for which a substitu- 
tion of another function name can be made. In general, script letters 
0-s , XV, C-t ... will be used for forms. Sometimes it is convenient to de- 
fine several functions at the same time, with references to each other, and 
occasionally a function may be defined to be the restriction of another 
function to a particular domain. The following are examples of function 
definitions : 

(1) f(x) s if Px then Fx else FFx 

(2) f(x) = if Px then f(Fx) else FFx 

(3) f(x) = if Px then g(Fx) else f(FFx) 
g(x) = if Px then f(x) else x 



(4) f(x) s if Px then if PEx then fFx else Fx 

else f(FFx) 

(5) f(x) s g(x,l,l) 

where g(x,y,z) = if x=y then z else f(x,y + l, z • y) 

McCarthy [5] shows that the class of functions definable from forms in 
C(succ, eq), where succ is the successor function and eq is the predicate 
for equality, is the class of all computable functions on the natural num- 
bers, proving that this is a sufficiently powerful language to be of inter- 
est to us. 

There are axioms for manipulating conditional expressions which con- 
stitute a complete system for checking equality of any pair of uninter- 
preted conditional forms. Two forms are equal if under any interpretation 
of function letters (except where a restriction is indicated) normal evalua- 
tion of either form results in the same value, where a conditional form, if 
p then a else b, has the value of a if p is T and of b if p is F. These 
axioms (again from McCarthy) are: 

(Al) if p then a else a 

is equal to a (if p is total) 

(A2) if T then a else b 
is equal to a 

(A3) if F then a else b 
is equal to b 

(A4) If p then T else F 
is equal to p 

(A5) if p then (if p then a else b) else c 
is equal to 
if p then a else c 

(A6) if p then a else (if p then b else c) 
is equal to 
if p then a else c 



-8- 



(A7) if (if p then q else r) then a else b 
is equal to 

if p then (if q then a else b) 

else (if r then a else b) 

(A8) if p then (if q then a else b) else (if q then c else a) 
is equal to 
if q then (if p then a else c) else (if p then b else d) 

It is thus possible to test any two conditional expressions for equality. 
However, when conditional expressions are used as right hand sides of func- 
tion definitions, the test for equality of any two function definitions is 
complicated by the possibility of recursions. It is obvious that if 
f = 0(f) and g s JO (g) are defined so that the right hand sides of their 
definitions can be shown to be identical forms by the axioms i.e. that 
O(x) = £5(x) then f and g are identical functions. However, there will be 
functions where the right hand sides appear to differ, but the recursion 
causes the results of computations to always be identical. For example, 
consider the following two definitions (from Morris [7]). 

(1) f (x,y) s if Px then y else Gf (Fx,y) 
g(x,y) s if Px then y else g(Fx,Gy) 

Comparison of these forms by the axioms does not tell us enough about the 
functions f and g. To see how to compare these two function definitions 
we must understand how to interpret these recursive definitions. 

A recursive definition can be considered to be an algorithm for com- 
puting a function. So the definition 

f(x) s if Px then fFx else x 

means "to compute f(x) test Px, if Px false the answer is x, if Px true 
then compute fFx." To compute fFx, we follow the same algorithm. Obviously, 
for some legal function definitions, and some arguments, execution by the 
algorithm can continue forever. Thus the functions defined by these condi- 
tional expressions may well be partial functions. With this interpretation 



of the recursive definition, the following interpretation of the equiva- 
lence of two such definitions emerges. For any argument, following either 
of the two algorithms must always lead to the same answer. For the ex- 
ample (1) above it is clear that for any argument x, fdllowing the algo- 
rithm for f or for g leads to the same result. In one case, G is applied 
to y at each step in the computation and in the other case the appropri- 
ate number of applications of G are recorded to be carried out at the end 
of execution. It becomes clear that some way of carrying out induction 
over the number of appeals to the definition is needed i.e. induction on 
the level of recursion. For this particular example, we would like to be 
able to show that if-iPx, then Gf(Fx,y) = f(Fx,Gy). In other words, at 
the next level of recursion, we can either apply G or save it for later. 
If this is true then 

~f (x,y ) e if Px" then y else GglRxjy ) 

"' "»' if Px T then ynsTae'f^Sc^Gy ) 



and we see that a computation of f(x) can actually be done by following 
the algorithm for g. Two definitions specifying functions which can be 
computed by identical algorithms clearly specify the same functions. 

We now begin a review of the existing techniques for proving equiva- 
lence of recursive functions. 
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1.2 Recursion Induction as defined by McCarthy 

In McCarthy's formalism the right hand side of a definition is a 
form which contains certain variable function names. For example, if 
f (x) = if Px then fFx else x, then f s £(f) where (I represents the con- 
ditional form. Then g s £(g) defines exactly the same function. This 
is true because for all x, g(x) is evaluated by following the same algo- 
rithm as is followed in evaluation of f(x). A proof of the equivalence 
of two functions then would go as follows. Given two function definitions 

f(x) s £'(f)(x) defines f 
g(x) = ^(g)(x) defines g 

find a third function h(x) s 5f(h)(x) and show that 

f(x) = ii(f)(x) 

Then we can say that f =g on the domain of h . If h(x) converges, then 
f(x) and g(x) are defined and equal to h(x). 

There are a few difficulties in using this method. Very little is 
said about how to transform the defining conditionals into the required 
third form, or for that matter, about how to come up with the third form 
in the first place. We can use the axioms about conditionals, and results 
of any other proofs by recursion induction or any other valid proof tech- 
niques (proof by analysis of cases, etc.). Often several subproofs and 
the generation of many intermediary "auxiliary functions" are required. 
No insights are offered as to how proof by recursion induction could be 
carried out mechanically. The generation of the third form is more often 
related to knowledge of the algorithm and alternatives to it, then to the 
forms of the conditional expressions themselves. 

Also, the fact that equivalence can be proved only over the domain 
of a third function leaves the problem of analyzing the domains of the 
functions involved, "a <p*«ti«n «fciBfee$ifc asr w«*" tHee 
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Example of Proof by Recursion Induction 

Arithmetic example from McCarthy's paper 

The primitive functions are succ and pred (successor and predecessor) 

1. g(m,n) = succ(f(m,n)) 

2. h(m,n) = f(succ(m),n) 

where f(m,n) a if n = then m else f (succ (m), pred (n)) 

[f (m,n) = m + n; g(m,n) is the succ of (m + n) and h(m) 
is the (succ of m) + n] 

We will show g = h on the domain of i where 

i(m,n) = if n * then succ(m) else i(succ(m), pred(n)) 
aj(i)(m,n). 

1. g(m,n) s succ(f(m,n)) 

= succ (if n = then m else f (succ(m), pred(n))) 

■ if n a then succ(m) else succ (f (succ (m), pred(n))) 

= if n = then succ(m) else g(succ(m), pred(n)) 

2. h(m,n) = f(succ(m),n) 

= if n = then succ(m) else f (succ (succ (m)), pred (n)) 

= if n = then succ(m) else h(succ(m), pred(n)) 
= J(h)(m,n) 
.". h = g on the domain of i. 
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1-3 Structural Induction as Defined by Burs tall 

This method for proving facts about programs applies to recursive 
programs which operate on a recursively defined domain of structured 
data. The data structure must be defined in such a way that a natural 
ordering exists on the class as a whole. This ordering must be a par- 
tial ordering which satisfies the minimum condition, i.e. every non-empty 
subset has a minimal element, where x is a minimal element of S if there 
is no s < x in S, (This means that there can be no infinite descending 
chains.) The function definitions must be made in such a way that each 
level of recursion involves operations on structures which are less com- 
plex, or lower in this ordering, than the structures of the next higher 
level of recursion. By the minimum condition we know then that any such 
computation beginning on data in the class, must terminate. Proofs then 
proceed by course of values induction on the complexity of the structure, 
which means that to prove that a structure of arbitrary complexity has 
property P one must prove that the minimally complex elements have P and 
that if all structures of complexity i < j have P then a structure of 
complexity j has P. For example, for a program, f, which operates on 
list structures, to prove property P (where P might be that f (x) is equal 
to g(x) for all x) it must be shown that f(x) has P assuming f(x') has P 
for all x* sublists of x and that the null list has P. As long as a 
partial ordering can be defined on the domain, structural induction can 
be used even if it is not otherwise natural to consider the data to be 
structured in the sense that lists are structured. 

You will notice that it is only meaningful to talk about applying 
structural induction, as described, to interpreted schema. An interpre- 
tation is needed to define either the domain and its ordering, or the 
structure with primitive functions being interpreted as the appropriate 



The general schema of course-of-values induction on integers is 
r, Tj CVi ( (i f < T ft Pfr) ) -» "Hi) ) 



Vk P(k) 
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constructor, selector and predicate operations. Referring again to the 
example of lists as the domain of definition, the primitive functions 
used in function definitions must correspond to such list operators as 
head-of-list, rest-of-list, concatenate and the primitive predicate might 
be "is atom" or "equals null list." 

Example of a Proof by Structural Induction 

We can prove the equivalence of g and h defined in the example of 
proof by recursion induction by recognizing that the following ordering 
on the ordered pairs on which the functions operate satisfies the minimum 
condition: 

(xpyp © (x 2 ,y 2 ) 
iff y t < y 2 

where < is the usual relation "is strictly less than" for integers. Now 
we have to prove two things: 

!• g(x,0) - h(x,0) fbr any x 

(the set C(x,0)|x a number} contains all the ordered pairs which 
are "atoms" or minimally complex structures) 

2. if g(x,i) «= h(x,i) for any i < j 

then g(x,j) = h(x,j) 

1. g(x,0) s succ(f(x,0)) 

- succ (if = then x else f (succ(x), pred(O))) 
=» succ(x) 
h(x,0) = f(succ(x),0) 

= if ■ then succ(x) else f (succ (succ (x)),pred(0)) 
= succ(x) 
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2. g(x,j) a succ(f(x,j)) 

* succ(if j = then x else f (succ(x),pred(j))) 

- if j «* then succ(x) else succ(f (succ(x),pred(j))) 

* if j = then succ(x) else g(succ(x),pred(j)) 
= if j = then succ(x) else h(succ(x),pred(j)) 

(by induction) 
h(x,j) s f(succ(x), j) 

= if j = then succ(x) else f (succ(succ(x)),pred(j)) 
= if j * then succ(x) else h(succ(x),pred(j)) 

For structural induction to apply the functions must be total over 
a particular well-defined domain. One method often used to prove total- 
ity of a function over a domain is to show that at each level of recur- 
sion, the value of some variable associated with the computation is de- 
creased and that this variable cannot decrease in value indefinitely 
(Floyd [3]). This proof is implicit in a proof by structural induction, 
since the technique could not be applied at all unless such a variable 
could be defined. In the example given the variable was the value of the 
second argument in successive calls. In a sense equivalence is proved 
only over the domain of a third function, this function being the defining 
or testing function for the structure. It appears, then, that structural 
induction is only a special case of recursion induction, recursion induc- 
tion applied only to programs meant to operate on structured data or on 
partially ordered domains. Also, it may be expected that for many proofs 
by recursion induction, no proof by structural induction exists. This 
occurs in any case where no structure can be ascribed to the data for 
which the function is defined, and in particular for uninterpreted 
s chemas . 
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1 '^ Recursive Definitions as Mappings Between Lattices 

Before discussing the next two induction principles it is necessary 
to review some results of lattice theory (Park [8] ) from which alterna- 
tive interpretations of the recursive definitions can be formulated. We 
will not go into lattice theory in any depth, but will simply cite sev- 
eral definitions and theorems and show how they relate to the function 
definitions. 

A lattice is a set with a parfcial ordering such that every pair of 
elements in the set has a least upper bound and a greatest lower bound. A 
complete lattice is a lattice in which every subset of the lattice has a 
least upper bound and a greatest lower bound. To see the relation to 'our" 
study we must realize that the algebra of subsets of a set is a complete 
lattice and that functions mapping n-1 tuples into single values can be 
viewed as n-ary relations. The set of all n-ary relations on a set D forms 
a complete lattice with s (set containment) as the partial order and any- 
thing true for complete lattices will be true for this set. Recursive 
definitions will be interpreted as mappings from the set of relations in- 
to itself. The function defined by such a definition will then correspond 
to a fixpoint of this mapping. 

Let us first consider an arbitrary lattice L. A mapping c:L -♦ L is 
monotonic if for all a^ c m 2 , cd^) c c(m 2 ). We define now 

(1) conv(c) = n {m|c(m) Cm}. 
and notice that 

(2) c(m) g m -» conv(c) c m 

The fixpoint theorem of Knaster-Tarski states that for c monotone 

(3) c(conv(c)) « conv(c) 
conv(c) = n {m|c(m) = m} 

or, in words, first, conv(c) is a fixpoint of the map c, and second, that 
conv(c) is the minimal fixpoint. (Proofs in appendix.) 



■16- 



One further definition leads to an even more illuminating repre- 
sentation of the fixpoint conv(c). A map c is continuous if whenever 
m_ c m 1 s ... then 



4 U m ) = U c(m.), 
i=0 x i=0 1 



When c is monotone and continuous 

(4) conv(c) = (J c X (0). 
i=0 



Now let us see the operation of function definition as a mapping. 
We use here an example from arithmetic. Let 6(f) = \x. if x = then 1 
else x*f (x-1). Then for any known relation f, ^(f) is another relation, 

^(f) = {(0,1), (l,l*f(0)), (2,2*f(l)), (3,3*f(2)), ... } 

For example, if f is the identity function, then 

£ (f) = {(0,1), (1,0), (2, 2), (3, 6),...}. If f is the factorial 

{ (0,1), (1,1), (2, 2), (3, 6),...}, then £(f) = { (0, 1), (1,1), (2,2), (3, 6), . . . }, 

i.e. C(f) = f, the factorial function is a fixpoint of £ . Also note that, 

if for a moment the domain of interest is extended to the integers, then 

if f = (...,(-3,0),(-2,0),(-l,0),(0,l),(l,l),(2,2),(3,6),...}, then again 

£(f) = f. 

When we write f = C(f) our intention is that f represent the minimal 
fixpoint of the definition (or mapping) £. From lattice theory, it is 
known that all monotonic mappings have fixpoints. If this method of 
writing definitions, i.e. using composition of functions and forming 
conditional expressions, always leads to monotonic mappings then all such 
recursive definitions are guaranteed to be meaningful in the sense that 
each such definition specifies a unique function and that function is the 
minimal fixpoint of the mapping associated with the form. By considering 
the logical implications of conditional expressions it can be shown that 
all such definitions are indeed monotonic (see Park [8]). By examining a 
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few conditional expressions for monotonicity, the reader should be able 
to convince himself that monotonicity will hold for the class of defi- 
nitions we have been discussing. A rephrasing of the meaning of mono- 
tonicity may help. Say we are given a conditional expression C, and we 
want to compute £(f) for a particular function f with infinite domain. 
As we begin to specify f we can begin to compute <^(f). That is, a cer- 
tain amount of information about f yields certain information about £(£) . 
Added knowledge about f can reveal further members of £(f), but mono- 
tonicity guarantees that no new information will ever force a change in 
the former characterization of £(f). If f and ^(f) are n-ary relations, 
then when an n-tuple is found to be in (^(f) based on a finite number of 
n-tuples known to be in f, then that n-tuple is in C(£) and no further 
information about f will ever show that £(f) does not contain that n- 
tuple. In computer programming whare programs often represent potentially 
infinite computations, although only finite computations can be carried 
out, it is good to know that results obtained in a finite amount of time 
are reliable. That is the importance of the monotonicity of these defi- 
nitions. 

Now, once we know that the definitions are meaningful, we would like 
to understand how the minimal flxpoint of one of them can be found. Since 
conditional expressions will always represent continuous mappings, there 
is a technique. Continuity of a mapping, C , means that for a series of 

CO 

functions f 1 c f £ ... such that IJ f. = f, the series of functions 

i = 1 L CO 
Af-,) £ (?(£-) <= ... has the property that (J Ci.t.) = C{£) . The reader 
^ i=l x 

will find that if he allows himself to use only the operations set out 
above he can generate only continuous mappings (see appendix for a defi- 
nition which is not continuous). Then, as noted above (4), the fixpoint 

xj oo ■; 
of C is (J C (0). In the lattice of n-ary relations is Q, the unde- 

i=0 
fined relation. 

For example, we compute the fixpoint of the factorial function as 
follows : 



•18- 



e l0 (n) = n = f Q 

O 1 ®) = {(o,i)} = f x 
C 2 (n) = {(o,i), (i,i)} = f 2 

£ 3 (fi) = {(0,1), (1,1), (2,2)} = f. 



f = U f t 

1=0 

Notice that in this case a pair added to the function at £7 (fi) represents 
a computation which requires n levels of recursion. 

f(3) = 3*f(2) = 3*2* f (1) = 3*2*l*f (0) = 3*2*1*1. 

In a proof, induction on level of recursion is induction on the indexes 
of these finite approximations to a function. 

Before leaving this section we will remark on one more theorem, the 
one which resulted immediately from the definition (1) of conv(c). It was 
(2) c(x) c x -+ conv(c) c x. This is interpreted to be the rule for re- 
cursion induction, since it prescribes a very similar proof technique. 
Given functions f and g defined by f = (J (f) and g = <0(%) (in other 
words f = conv(<^), g = conv(<^) we can attempt to prove equality directly 
by showing 

1. f = Af) 
2 - g = 6(g). 

These results and the theorem (2) imply 1. f c g, and 2. g q f . There- 
fore f = g. When the third function h = .Jr(h) is used as described by 
McCarthy this theorem is involved twice to get the results h £ f and 
h Q g. This says that f and g are equal over the domain of h. 
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1.5 The ia-rule 

In an unpublished paper Scott and deBakker build an algebraic 
theory of programs. In it are the usual axioms for conditional expres- 
sions, and axioms which force a model for the theory to contain only 
monotonic, continuous functions. There is one rule of inference, the 
u-rule. It is essentially a rule for simple induction on the level of 
recursion. The rule is 

Premises: Y(Q) Y(X) -» Y(<^(X)) 

Consequent: Y(conv(£ )) 

where Y is the predicate (perhaps it is equivalence of two definitions). 
If it can be shown that Y is true for the empty function, Q, and that Y 
true for a function X implies that Y is true for L'(X), then we can as- 
sume Y(conv(C))» This is more meaningful if we recall that 

conv((l) = fi l)c}(n) U ^ 2 (n) U By simple induction on i, YC^Cn)) 

is established for all i. By definition of conv(6), this establishes 
Y (conv (C ) ) • 

Facts to be proved are usually equivalences of two functions or 
containment of one function by another, but as with the other methods, its 
use can be extended to consider other predicates if suitable extensions 
are made to the language. With the u-rule some questions of domains of 
functions seem to be taken care of more easily. If the programs "operate" 
in similar ways, i.e. always testing the same predicates on the same argu- 
ments, the domain comparison is automatically done. However, we do not 
find ourselves with an answer to the question of convergence (as we know 
we could not). Often it can be proved that one function is contained in 
another, but to prove equivalence would be to prove the totality of one 
of the functions. While such a proof may be possible given facts about 
the particular program (properties of numbers if a program involves 
arithmetic) it will not fall out of a proof in this theory. 
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Example of Proof by u-rule 

Again, we use the same example. 

We prove Y(f) = succ(f(m,n)) = f(succ(m),n) 

where f is the minimal fixed point of the definition 

i.e. f(m,n) = £(f)(m,n) = if n = then m else f (succ(m),pred(n)) 
We need to prove 

1. Y(Q) 

2. Y(X) -> Y(£(X)) 

1. succ(n(m,n)) = Q (m,n) 
fi(succ(m,n)) = Q (m,n) 

2. succ(£ (X)(m,n)) = succ(if n = then m else X(succ(m),pred(n))) 

= if n = then succ(m) else succ(X(succ(m),pred(n))) 
= if n = then succ(m) else X(succ(succ(m)),pred(n)) 

(by assumption that ¥(X) holds) 
= C(X) (succ(m),n) 

Finally, note that recursion induction, in the form attainable from lat- 
tice theory, i.e. £ 7 ( x ) ex-* conv«2) £ X is a theorem in this theory. 
Recursion induction, then is clearly no stronger than the ^-rule on con- 
tinuous functions. 
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1. 6 Truncation Induction as Defined by Morris 

This method also depends heavily on the realization that we are 
dealing only with continuous mappings. For any recursive definition 
f s (j ' (f ) the truncations of f are the functions f_,f..,f„, ... where 

f is f restricted to n levels of recursion 

n 

This means f . = Q 



f i = ?<v 



h = C<h> = £ 2 <V 



and as stated before 

(i) f = U /^(n) = U f, 

i=0 1=0 

For a particular x, f (x) = y if and only if there is an i such that 
f. (x) = y, since the ordered pair (x,y) is in f, as defined in (1), if 
and only if (x,y) is in f. for some i. Therefore, a proof that for each 
i, the ordered pairs in f. satisfy some condition, is, a proof that this 
condition must also hold for the function f . For example, if for each i, 
f. contains only ordered pairs of the form (x,0) then the ordered pairs 
in f can only be of that form. In comparing two functions, f and g, if it 
can be shown that for all i, f. = g., then clearly f = g. 

To obtain results about f. proofs proceed by course-of-values induc- 
tion on the index of the truncations. From P(f„) and V. _ P(f.) -» ?(f.) 
we infer P(f). 

The difference between truncation induction and the u-rule is that 
the latter method is restricted to the use of simple induction on these 
truncations. Both methods are equally powerful, but whether course-of- 
values induction or simple induction is more convenient in dealing with 
recursive function can still be questioned. Morris' main argument for 
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truncation induction is to compare it to McCarthy's recursion induction 
and show that some of the convergence problems can be avoided. However, 
with a looser interpretation of recursion induction, which we will see is 
justified, as much can be said about convergence. And of course using 
truncation induction still does not make it possible to directly prove 
strong equivalence of a recursively defined function and a constant one. 

Example of Proof by Truncation Induction 

We want to prove succ(f(m,n)) = f(succ(m),n) 

where f (m,n) = if n = then m else f(succ(m), pred(n)) 

From this definition we define the truncations of f to be 

f . (m,n) - if n = then m else f. 1 (succ(m),pred(n) ) 

We must prove 1. succ (f n (m,n)) = f.(succ(m),n) 

2. if Vi<j, succ(f . (m,n)) = f . (succ(m),n) 
then succ (f . (m,n)) = f . (succ(m),n) 

1. succ(f_(m,n)) = succ(n(m,n)) = Q(m,n) 
f (succ(m),n) = fi(succ(m),n) = Q(m,n) 

2. succ(f . (m,n)) = succ(if n = then m else f ._.. (succ(m),pred(n))) 

= if n = then succ(m) else succ(f. 1 (succ(m),pred(n))) 
= if n = then succ(m) else f ._.. (succ (succ (m)) ,pred(n)) 



(by induction) 



f . (succ(m),n) 
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2.2 Structural Induction and Truncation Induction 

While structural induction and truncation induction depend on dif- 
ferent properties of functions, the former being induction on the com- 
plexity of a data structure, and the latter on the complexity of a com- 
putation structure, the restrictions on the form of function definition 
as specified by Burstall make these differences insignificant. The fol- 
lowing comments on this restricted class of definitions will show that 
complexity of data structure and level of recursion are so closely re- 
lated in these definitions, that they are interchangeable as indexes for 
inductive proofs. 

Structural Induction is a special case among the inductive methods. 
It is the only one which is defined for interpreted programs, and only 
for those which operate in a particular way on structured data types, 
(i.e. We cannot use an arbitrary well-defined ordering on the domain for 
induction. It must be an ordering such that each recursive call by the 
function is guaranteed to be made with an argument which is lower in the 
ordering.) On these programs, structural induction is quite simple to 
use and to justify independent of facts about recursive functions. The 
induction involved is induction on the complexity of an ordering on data, 
a familiar type of induction not requiring the introduction of any new 
knowledge or notations about functions. The recursion implicitly involved 
in the function definition is not the interesting phenomenon. The proof 
works because of properties of the data structure, rather than properties 
of the recursive nature of the function. The actual proof is an examina- 
tion of the function in terms of calls on less structured data, rather 
than in terms of calls requiring fewer and fewer nested calls, or calls 
on less fully specified partial functions. No insight into fixpoints or 
their constructions is necessary. 

Structural induction could as easily be justified by considering the 
structure of the recursive functions. In fact, if truncation induction 
is used in a proof about functions defined in the specified way it would 
be found that exactly the same inferences are made though supposedly for 
different reasons. Let us examine the general pattern of a proof by 
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structural induction of the equality of two functions, f = $! (f) and 
g s >4(g), on a domain of structured data. To prove Vxf(x) = g(x) we 
prove first that f(x ) = g(x.) for all x. which are atoms or minimally 
complex structures. This part of the proof will necessarily be very 
straightforward since evaluation of P(x.), (or g(x.)), x. atomic, cannot 
involve recursive calls on f (or on g) since any recursive call on f 
(or g) is made with an argument with less complex structure than that 
of the original argument. When this original argument is already mini- 
mal, the final result must be directly obtainable from known functions. 
This is clear from the definition of the function which in general takes 
the form 

(1) f(x) = if (x atomic) then ^(x) else C Ai) (x) 

Therefore, by analysis by case (should there be more than one minimal ele- 
ment) this first part of the proof should be trivially true. 

Next we must prove that for any x which is not minimal f(x) = g(x), 
given that ?x ' < x, f(x') = g(x'). Again, we refer to the restriction on 
the forms of f and g. Since any occurrence of f on the right hand side of 
the definition f(x) = Ji (f ) (x) represents an application of f to a less 
complex structured argument, the assumption f(x') = g(x') may as well be 
restated as an assumption that ?x(f(x) = g(x)) for all subsequent calls 
on f and g. To be sure that the induction hypothesis is used only when 
valid, subscripts might be used to differentiate between the original use 
of f and subsequent recursive calls. 

The similarity to truncation induction is becoming more obvious now. 
The induction step is virtually identical for proofs on this class of pro- 
grams. It is necessary to prove f . (x) = g. (x) assuming either that 
f .(x) = g.(x)for j < i or that for all recursive subcalls on f and g in 
the evaluation, f(x) = g(x). How does the basis for induction compare? 
In truncation induction we show f n (x) = g n (x). Then from the induction 
step it follows that f, (x) = g 1 (x). In terms of the definitions of f 
and g, this means ^ (n) (x) =>4-(fi)(x). Referring back to the general 
form (1) of functions for which it is meaningful to consider proof by 
structural induction, this says that f and g agree for the atomic 



-26- 



structures. Thus the analogy is completed between structural induction 
and truncation induction. When we prove f(x) = g(x) for x atomic we are 
establishing f,(x) = g..(x). This is then the basis of induction, 
whether we consider it to be induction on the complexity of the data 
or on the depth of recursion. 

The validity of starting proofs from this basis seems questionable 
in light of the construction of the minimal fixpoint. For most statements 
provable by structural induction, it is true that the basis generally used 
for truncation induction proof is true as well and in translating to a 
trunction induction proof we could, in fact, write a valid proof with the 
statement for i = as the basis. Thus any two recursively defined func- 
tions known to be equivalent due to proof by structural induction, can gen- 
erally be shown to be strongly equivalent by truncation induction and 
therefore equivalent on the domain of interest, confirming the results of 
the structural induction proof. However, a structural induction proof may 
be dependent on the implicit assumption that any function to be examined 
is total on the domain of interest (this assumption can, in fact, be 
proved as noted at the end of section 1.3). For an example, take a defi- 
nition f = J? (f ) satisfying the criteria for structural induction and de- 
fining the function f, where f (x) is equal to the constant A for all x. 
A structural induction proof that f (x) = A is easy to write. However, 
by truncation induction alone, only the weaker statement f c \x.A can be 
proved. This is true because the strongest statement provable as a basis 
for induction is f c Xx.A. The statement f (x) = A is not true. The 



The reader might note that structural induction as stated here seems a 
bit redundant, in that the proof of equality of f(x) = g(x) for x atomic 
is included in the proof of f (x) = g(x) for general x, since clearly 
there must be a correspondence between the first then-clauses of both 
definitions for the induction step to carry through, and this correspond- 
ence proves f(x) = g(x) for x atomic. This redundancy occurs here because 
of the consistent use of McCarthy's notation writing the whole conditional 
in each part of the proof. Burstall, in his paper [1], makes a few nota- 
tional changes and writes functions by case. Then using analysis of cases 
in proof, the cases x atomic and x not atomic are separate and the two 
parts of the proof do not overlap. In examples, where identity is clear, 
unnecessary parts will be omitted. 
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1. succ(f(m,n)) = succ(if n = then m else f (succ(m),pred(n)) ) 

= if n = then succ (m) else succ(f (succ(m) ,pred(n)) ) 
= if n = then succ(m) else f (succ (succ (m) ),pred(n)) 

(by induction) 

2. f (succ(m),n) = if n = then succ(m) else f (succ (succ (m)),pred(n) ) 

The truncation induction proof of succ(f . (m,n)) = f . (succ(m),n) follows 
simply by combining the two parts of the structural induction proof with 
subscripts added. 

succ(f . (m,n)) = succ(if n = then m else f . (succ(m),pred(n))) 

= if n = then succ(m) else succ(f . _, (succ(m),pred(n))) 
= if n = then succ(m) else f . _, (succ (succ (m)),pred(n)) 

(by induction) 
= f . (succ(m),n) 

Example 2 (from Burstall [1]) 

lit(f,s,y) = if empty(s) then y else f (head( s),lit(f ,rest(s),y)) 

[head(s), rest(s), concat(sl,s2) are primitive functions corresponding to 
the obvious list operators] 

We want to prove 

lit(f,concat(sl,s2),y) = lit (f ,sl,lit (f ,s2,y)) 

The proof will be by structural induction on the list si. 

1. for si = nil 

lit(f, concat(sl,s2),y) = lit(f,s2,y) 

lit(f,sl,lit(f,s2,y)) = lit(f,s2,y) 
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2. for si ^ nil 

lit(f,concat(sl,s2),y) = f (head(concat (sl,s2)),lit (f ,rest(concat(sl,s2)),y)) 

= f (head (si ) , lit (f , concat (rest (sl ),s2),y)) 

= f(head(sl),lit(f,rest(sl),lit(f,s2,y))) 

(by induction) 
lit(f,sl,lit(f,s2,y)) = f (head (si), lit(f ,rest(sl),lit (f ,s2,y))) . 

In this proof it is not obvious how the assumption about the domain 
is used until we try to set up the induction hypothesis for a truncation 
induction proof. 

We want to prove lit. (f ,concat(sl,s2),y) = lit. (f ,sl, lit^f ,s2,y)) 
However, for i,sl,s2 such that i < length (concat (sl,s2)) but i £ length(sl) 
and i 2: length(s2) the left hand side is undefined while the right hand 
side is defined. 
We can therefore only prove 

lit. (f,concat(sl,s2),y) c lit. (f , si, lit. (f ,s2,y)) 

1. base 

fi(f,concat(sl,s2),y) = Q (f ,sl,n(f ,s2,y)) 

2. lit. (f ,concat(sl,s2),y) = if empty (concat(sl,s2)) then lit.(f,s2,y) 

else f (head(concat(sl,s2)),lit._- (f ,rest(concat (sl,s2)),y)) 
= if empty(concat(sl,s2)) then lit.(f,s2,y) 

else f (head (si), lit. _ 1 (f, concat (rest (si), s 2 ),y)) 
c if empty (concat (si, s2)) then lit. (f,s2,y) else f (head (si), lit. _., (f , 



rest(sl),lit i _ 1 (f,s2,y))) 



= lit i (f,sl,lit i (f,s2,y)) 



Once the correct subscripting is decided on, all steps are just simple 
transcriptions of the steps of the structural induction proof. 
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Example 3. Illustrating the case in which domain assumptions are involved 
in a proof comparing a recursively defined function to a known function on 
the natural numbers. 

f (x) h if x = then 1 else x*f (x-1) 
we want to prove f (x) = x! 
By structural induction: 

for x = f(x) = 1 and x! =1 
for x t f(x) = x*f (x-1) 

= x* (x-l)i (by induction) 
= x! 
f (x) = x! 

To do a truncation induction proof we would want as our induction 
hypothesis f. (n) = n!, however, this is not true for any i. Instead we 
will prove f . (x) c x! 

1. f Q (x) = n(x) c x! 

2. f (x) = if x = then 1 else x * f, (x-1) 

■L X"* J. 

= if x = then 1 else x * (x-1)! 
= x! 
.-. f(x) c x!. 

From the form of the computation (which performs successive reductions in 
the initial integer argument) it is clear that f(n) converges for all 
natural numbers. Therefore, f(x) = n! for n a natural number. 

Notice that this sort of argument does not just allow one to ignore 
the difference between containment and equality in cases outside the class 
of programs for which structural induction can be used. For example, with 
the following function: 
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f (x) = if x = 1 then else if x even then f(x/2) else f(3x+l) 

at present, only f c Xx.O can be proved since there is no known independent 
way of describing an ordering on the integers such that a convergence argu- 
ment can be made showing f to be total over the natural numbers. 

For completeness, note the fact that although truncation induction 
has more general application it is consistent with structural induction 
whenever applied to definitions in the class to which this method applies. 
Therefore any fact proved by truncation induction about such a program 
will clearly be provable by structural induction. Furthermore, a legiti- 
mate proof by structural induction can be written quite mechanically by 
simply copying the truncation induction proof without the subscripts. 
This gives us the induction step, the basis being easily extractable as 
discussed above due to both the form of the definition and notational con- 
ventions . 
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2.3 u-rule and Truncation Induction 

The difference between u-rule and truncation induction is essentially 
the difference between simple and course-of-values induction. Both meth- 
ods are based on the same construction of fixed points, namely 

CO 

conv(Q = y (J (Q). In comparing some pairs of functions you will find 
i=0 

that often the equality of the two functions for a particular argument 

is based on their equality for other arguments found after some finite 

number of recursive calls. Or, to put it another way, it may be that for 

each x, if f(x) and g(x) are defined at stage i of the constructions of 

f and of g, then they are equal if and only if f(x') = g(x') at some 

stage j<i, j^i-1. To prove equivalence by truncation induction is 

simple, since the assumption is for all j < i. By u-rule, a series of 

proofs must be performed, establishing identities _at^ s tag es 

j, j+1, ..., i-1 so that each proof requires looking back only one step 

in the construction. That there is no real difference in proving power 

between these two methods becomes clear by establishing procedures for 

transforming one type of proof into the other. 

That u-rule induction is no more powerful than truncation induction 
is clear, since a u-rule proof can be interpreted as a truncation induction 
proof directly, where all induction hypotheses happen only to be applied at 
one level. If, on the other hand, an equality is established by truncation 
induction, it will also be possible to prove it by u-rule. Keeping in mind 
that the only additional restriction is the limit of looking back one step 
at a time in the construction, it can be seen that the u-rule proof will 
have to be a series of proofs, one for each level at which the induction 
hypothesis is used. We will now go into more detail on these observations 
and work out a few examples. 

Truncation induction allows us to assume f = g for all occurrences of 
f in the computation of ^(f)(x), while the u-rule allows this assumption 
only for the occurrences of f at the first level of recursion. This ex- 
plains the statement of the u-rule induction step as being a proof that 
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P(X) =» P(^/?(X)). It is a notational convenience to help in avoiding the 

temptation to expand < J/(f)(x) to ^ (^*(f ),x) and to possibly reuse the 

/ 
induction hypothesis. It is true that f = g in ,^(f)(x) but it is no 

longer true that, for this f, f = «^(f). This f is a dummy variable about 
which only P(f) is known. We will see though that this may not be such a 
restricting condition, by showing how we can always find a |j,-rule proof if 
we already have a truncation induction proof. 

If P is a conduction P- A ... A P. and we know P(X), then we 
know P,(X) A ... A P^OO. Then proving P(conv(^*)) for some function speci- 
fied by the definition f = yt(f) proves P,(conv(£)) and . . . and P,(conv(J&)) 
simultaneously. In a truncation induction proof there can only be a 
finite number of inferences which follow from the definition f s ^(f). 
For each of these inferences which would be invalid in a proof by |a-rule 
P. can be defined to be the part of P which will allow us to make the 
necessary inference. Let us do the conversion for one case before dis- 
cussing the general case any further. 

Example 1. 

prove f(x,y) = g(x,y) by truncation induction 

f (x,y) = if Px then y else Gf (Fx,y) 

g(x,y) = if Px then y else g(Fx,Gy) 

1. f^x.y) = 

2. if Px the y else Gf._,(Fx,y) 

3. (ind) = if Px then y else Gg. 1 (Fx,y) 

4. (def) = if Px then y else G(if PFx then y else g._ 2 (FFx,Gy)) 

5. = if Px then y else if PFx then Gy else Gg. _ 2 (FFx,Gy) 

6. (ind) = if Px then y else if PFx then Gy else Gf . _ 2 (FFx,Gy) 

7. (def) = if Px then y else f._ 1 (Fx,Gy) 

8. (ind) = if Px then y else g._, (Fx,Gy) 

9. (def) = g i ( x ,Gy) 
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2 - = if Px then y else GX(Fx,y) 

3. (ind) 1 = if Px then y else GY(Fx,y) 

7. (ind 2 ) = if Px then y else X(Fx,Gy) 

8- (ind ][ ) = if Px then y else Y(Fx,Gy) 

9. (def) = ^(X)(x,y) 



Proof of P 2 (J£(X), ^f(Y)) 
3. G(^f(Y)(Fx,y) = 



4. G(if PFx then y else Y(F x, Gy)) 

5. = if PFx then Gy else GY(F 2 x,Gy) 

6. (indp = if PFx then Gy else GX(F 2 x,Gy) 

7. (def) .= ^(X)(Fx,Gy) 

The reader may find that a shorter proof by |a-rule is possible if 
P 2 is formulated slightly differently, but the predicate as stated here 
shows the exact correspondence between the two proofs and would be the 
best choice in terms of a mechanical translation from One proof to the 
other . 

In the general case, a few more properties of the proof may have to be 
taken into account in formulating some P, . In the second level proof in ex- 
ample 1 the only facts used were the induction hypothesis and the fact that 
G was distributive over the clauses of a conditional. However, the entire 
subproof took place under the additional hypothesis that — i Px was true, 
since all changes were in the else-clause of a conditional based on the 
test Px. Actually P_ should have been -i Px-» Gg(Fx,y) = f(Fx,Gy). It is 
not difficult to find examples of proofs where facts about the arguments 
implied by the result of a conditional test are necessary conditions for 
further equivalences. It just happens that in this case it is true that 
for all x,Gg(Fx,y) = f(Fx,Gy). Also, it may occasionally be necessary in 
a proof by truncation induction to use as justification for one step the 
result of some other proof by truncation induction. This result too can 
be treated as a constituent of the predicate to be proved by the u-rule, 
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and its proof will be found in the same manner. 

A more general procedure for changing a proof by truncation induction 
to a proof by |j-rule follows. Given a proof ~r of P (f . , ... f ) by trun- 
cation induction we will prove P (f .. , ..., f ) where P =PAP ... AP A 

(j. I n u t y^ y n 

P A ... A P where 
X 1" 2 1 ^-^m 

(1) P is a predicate corresponding to the subproof yi 

^i 

(2) P is the predicate C -♦ P. 

x i" z i x i 

where P. is the predicate which would justify skipping the block of 

lines x. to y. if x. . follows from x. by an expansion by definition of 

a function (and x. ^ 1) and y. is the first line after x. in which all 
11 l 

functions are again at level of recursion of line x. . 

C. describes the conditions which hold for the clause of the condi- 
tional in which the fact that P. is true of the functions involved is used. 

l 

Once the proper predicate is formulated, proof is written by transcribing 

of the lines of "f into -f' in the obvious manner. 

t p. 

Example 2. 

We will prove g(x,x) = h(x), by showing g. (x,x) = h.(x). 

f(x) = g(x,x) 

g(x,y) = if Px then hy else g(Fx,y) 

h(x) = if Px then x else hFx 
basis g Q (x,x) = n(x,x) = n(x) = h Q (x) 

1. g^x.x) = 

2. if Px then hx else g. _(Fx,x) 



3. = if Px then x else g. .. (Fx,x) 



4. (subpr) = if Px then x else g. , (Fx,Fx) 

5. (ind) = if Px then x else h. , (Fx) 

l-l 

6. (def ) = h. (x) 



(Px => h(x) = x) 
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Proof that for all i (yxYy (-, Px -» g. (y,x) = g.(y,Fx))) 



1- g 1 (y,x) = 

2. if Py then hx else g.,(Fy,x) 

3. = if Py then hFx else g._,(Fy,x) 

(-iPx=» hx = hFx) 

4. (ind) = if Py then hFx else g._-(Fy,Fx) 

5. (def) = g i (y,Fx) 

From this proof by truncation induction we formulate the following proof 
by |_i-rule. 

P (g,h) = g(x,x) = h(x) A nPx=» g(Fx, x) = g(Fx,Fx) 

The induction part of the u-rule proof will be: 

1. ^(X)(x,x) 

2. = if Px then hx else X(Fx,x) 

3. = if Px then x else X(Fx,x) 

4. (ind2) = if Px then x else X(Fx,Fx) 

5. (indl) = if Px then x else Y(Fx) 

6. (defn) =J^(Y)(x). 
and 

1. ^f(X)(y,x) 

2. = if Py then hx else X(Fy,x) 

3. = if Py then hFx else X(Fy,x) 

4. (ind2) = if Py then hFx else X(Fy,Fx) 

5. (defn) =^(X)(y,Fx) 
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At the beginning of this section we also suggested a way of finding 
a truncation induction proof to correspond to a given u-rule proof. The 
simplest way is to note that a |_i-rule proof is a truncation induction 
proof in which only a restricted form of the induction hypothesis is 
used. A substitution throughout the proof of f. for J& (X) and of f , 
for X will directly yield a truncation induction proof. If the u-rule 
proof is of a complex statement (i.e. a conjunction of statements) it is 
simply necessary to use a corresponding conjunction for the truncation 
induction proof. 

Example 3 

We want to prove f (x,y) = g(x,y) and will do this by the u-rule by proving 
f(x,y) » g(x,y) A Gg(Fx,y) = g(Fx,Gy) 

1. fi(x,y) - n(x,y) 
G(D(Fx,y))= n(Px,Gy) 

2. a. ^(X) (x,y) -s if Px then y else GX(Fx,y) 

= if Px then y else GY(Fx,y) 

(by induction 1) 
= if Px then y else Y(Fx,Gy) 

(by induction 2) 
= J(Y)(x,y) 
b. Gjf(Y)(fx,y) s G(if Px then y else Y(FFx,Gy)) 
= if Px then Gy else GY(FFx,Gy) 
= if Px then Gy else Y(FFx.GGy) 

(by induction 2) 
= >^(Y)(Fx,Gy). 
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A corresponding truncation induction proof is then: 
We want to prove 

f(x,y) = g(x,y) A Gg(Fx,y) = g(Fx,Gy) 
and do so by proving by induction that 

Vi(f\(x,y) = g j .(x,y) A Gg.(Fx,y) = g(Fx,Gy)) 



1. f Q (x,y) = g Q (x,y) A Gg Q (Fx,y) = g Q (Fx,Gy) 

2. assume f.(x,y) = g.(x,y) A Gg (Fx,y) = g (Fx,Gy) 

for j < i 



f»(x,y) = if Px then y else G f.^CFx.y) 
= if Px then y else G g._, (Fx,y) 

(by induction 1) 
= if Px then y else g._..(Fx,Gy) 

(by induction 2) 
= gi (Fx,Gy) 
and Gg. (Fx,y) = G(if Px then y else g. _ 1 (FFx,Gy)) 
= if Px then Gy else G g._- (FFx,Gy) 
= if Px then Gy else g. _ 1 (FFx,GGy) 

(by induction 2) 
= gi (Fx,Gy) 
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2.4 Recursion Induction and Truncation Induction 

The comparison between these two methods begins with showing that 
truncation induction can be used to prove any result proved by recursion 
induction. The general principle behind the transformation of a recursion 
induction proof into a truncation induction proof is quite simple. If 
by recursion induction it can be proved that f = g, then it must be the 
case that for some h = Jtf(h) 

f =J/(f) 
and 

The truncations f. = -£(f._.) and g. = /U(g. ,) of f and g can then gen- 
erally be exptessed as f. =^/(f. .) 

A proof by truncation induction is then just the combination of the two 
parts of the recursion induction proof, as follows : 



(by the result of rec.ind. proof) 
(by induction) 
(by rec . ind . ) 



For simple recursion induction proofs, this transformation can be done 
quite mechanically, based on this outline. 



f. . Jif lml ) 


-4/cW 


=^ (Si-i) 


- A M ) 


= g i 
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Example 1 

We will prove that succ (f(m,n)) = f(succ(m),n) where f is defined as in 

section 1.2. 

Define h = \m.\n. if n = then succ(m) else h(succ(m), pred(n)) 

1. succ(f (m,n)) == succ(if n = then m else f(succ(m), pred(n))) 

= if n = then succ(m) else succ(f (succ(m), pred(n))) 
= JY (\m.\n. succ(f (m,n))) (m,n) 

2. f (succ(m,n)) s if n = then succ(m) else f (succ (succ (m) ) , pred(n)) 

= _J&/ (^tnAn.f (succ(m),n)) (m,n) 

Then the induction part of a truncation induction proof could be written: 
succ(f . (m,n)) = succ (if n = then m else f . _. (succ(m), pred(n))) 

= if n = then succ(m) else succ(f . _.. (succ(m), pred(n))) 

= .^(Xm.Xn. (succ(f . 1 (m,n))) (m,n) 
(ind) = Jf (\m.\n.f ._. (succ(m),n)) (m,n) 

= if n = then succ(m) else f ._- (succ (succ (m)), pred(n)) 

= f . (succ(m),n). 

There will be cases where this rule will not be directly applicable. 
Proofs in which the recursion induction principle is used less directly 
(for example in a subproof contained in one of the clauses of the defining 
conditional), or in which it is unclear how we are using the definitions 
or to what depth of recursion we have descended will require some examina- 
tion to determine at just what point this "combination of proofs" will go 
through to produce a proof by truncation induction. 

Some further examples should illustrate the types of considerations 
to be made before applying the rule. 
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Example 2 

We will prove another identity involving the same f of example 1. 

f(f(m,n),p) = f(f(m,p),n). 
First we define h=*\m.\n,\p. if p = then f(m,n) else h(succ(m),n,pred(p)) 

1. f(f(m,n),p) = if p = then f(m,n) else f (succ(f (m,n)),pred(p)) 

= if p = then f(m,n) else f (f (succ(m),n),pred(p)) 

(by proof ex. 1) 
= ^(\m. \n.\p.f(f(m,n,p)))(m,n,p) 

2. f(f(m,p),n) = f (if p = then m else f (succ(m),pred(p)),n) 

= if p = then f(m,n) else f (f (succ(m),pred(p)),n) 
■ ^k^m, \n. \p.f(f(m,p),n))(m,n,p) 

Notice that in part 1 the first occurrence of f is expanded by definition, 
while in part 2 we expanded the second occurrence. In neither part did 
we have to expand both occurrences of f. This fact is important in deter- 
mining exactly which indexes will be involved in the induction of the trun- 
cation proof. While a proof by truncation induction of 

fj. (^(nijiOjP) = f . (f . (m,p),n) is possible it is not the proof most closely 
related to the recursion induction proof. The goal should be one for 
which the identities already proven by recursion induction can be used to 
generate mechanically a truncation induction proof. To that end, consid- 
ering the manner in which recursion induction was used to achieve the de- 
sired results, a goal in terms of truncations can be found which will en- 
able us to do this. 

From this proof we get 

f^ffon),?) = f(f i (m,p),n) 

and the following proof, with subscripting the only revision necessary 
(i.e. no new steps need be added) 
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f^f (m,n),p) = if p = then f(m,n) else f (succ(f(m,n)),pred(p)) 
= if p = then f(m,n) else f . (f (succ(m),n),pred(p)) 
= >/(\m.A.n.\p. f i _ 1 (f(m,n),p))(m,n,p) 
= Jf (\m.\n.\p. f(f i _ 1 (m,p),n))(m,n,p) 
= if p = then f(m,n) else f (f . _ 1 (succ(m),pred (p)),n) 
= f(if p = then m else f . _. (succ(m),pred(p)),n) 
= f(f.(m,p),n). 

Example 3 

f(x) = g(x,x) 

g(x,y) = if Px then hx else g(Gx,y) 

h(x) = if Px then x else hFx 
proof that f (x) c h(x) (by showing f = M(f)) 

1. f(x) = g(x,x) = if Px then hx else g(Fx,x) 

= if Px then hx else g(Fx,Fx) See second part of proof 
= if Px then hx else fFx 

= ikf)(x> 

2. w.t.p. -,Px=»g(y,x) = g(y,Fx) 

Define i = \y.\x. if Py then hFx else i(Fy,x) 

a- g(y,x) = if Py then hx else g(Py,x) 

= if Py then hFx else g(Fy,x) 
(since — i Px=> hx = hFx) 

= J) Qy.^x. g(y,x))(y,x) 
b. g(y,Fx) = if Py then hFx else g(Fy,Fx) 

= ^9(ty.>«. g(y,Fx))(y,x) 
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The truncation induction proof follows: 

f . (x) = g. (x,x) = if Px then hx else g._..(Fx,x) 

= if Px then hx else g._ 1 (Fx,Fx) (see next proof) 

-if Px then hx else f._,(Fx) (definition) 

= ^(f._ 1 )(x) 

= 3r(h._,)(x) (by induction) 

= h.(x). 

w.t.p. -iPx^ g i (y,x) = g i (y,Fx) 
S ± (y,x) = if Py then hx else g i _ 1 (Fy,x) 

= if Py then hFx else g._..(Fy,x) 

= J}(\y.\x. g i _ 1 (y,x))(y,x) 

= J)(^y.^x. g i _ 1 (y,Fx))(y,x) 

= if Py then hFx else g., (Fy,Fx) 

Conversely, given a truncation induction proof, some of the informa- 
tion in the proof can be used towards the writing of a recursion induction 
proof. If the truncation induction proofs in this section are examined, 
the reader will notice that the steps in which the common form is ex- 
plicitly written out are superfluous, the exact same induction could have 
been performed directly on the expanded form. In an ordinary truncation 
induction proof, at the places where the induction hypothesis is used it 
should be possible to extract forms for the third function used in a re- 
cursion induction proof. As a matter of fact, informal performance of 
proof by truncation induction is probably the most often used technique 
for deciding what the third function should look like. One starts at both 
ends, expanding by the definitions the forms which are being compared un- 
til a common form is found. 
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There will be complications in applying this procedure to arbitrary- 
truncation induction proofs, generally of the sorts investigated in the 
previous section on u-rule and truncation induction. That is, in proofs 
with several successive steps by induction or definition at levels below 
i-1, the proof must be broken up into one step proofs, since recursion in- 
duction generally works on less depth of recursion than does truncation in- 
duction. Also in recursion induction, levels of recursion are not part 
of the function definition. This means certain of the arguments used in 
a |i-rule proof could not be used. For instance, for a proof of 
Pj^Cf) A P 2 (f) in which P^^GO) is proved using only P 2 (X) and P 2 (^(X)) 
is proved using only P-^X), the corresponding reasoning would appear cir- 
cular by recursion induction, where we would be saying that we can prove 
P^f) if P 2 (f) is true while P 2 (f) is true if P^f) is true. When a trun- 
cation induction proof is carried back several levels of induction this 
kind of reasoning results. If, in extracting subproofs as 
was done in trying to get a u-rule proof, these sequences of lines are 
examined for common forms across one or more induction calls, means can be 
found for getting around this. For example, looking back to Example 1 of 
section 2.3, by calling lines 3 to line 8 the subproof we will find line 5 
to describe the third form desired. In short, the change from truncation 
induction to recursion induction takes the same sort of recognition of 
useful third forms as does the original proof by recursion induction. 

A proof of f(x,y) = g(x,y) by recursion induction would actually take 
two parts f £ g, g c f . One corresponds to showing g = ,Jf(g) the other 
of f =x)(f). These in turn correspond to making a subproof about lines 
3 - 8 or lines 2-7 of the truncation induction proof, respectively. 
We will do g(x,y) £ f(x,y). 
Therefore we want to prove f =>J(f) 
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Proof 1 

f(x,y) ~ if Px then y else Cf(Fx,y) 

= if Px then v else f(Fx,Gy) 
(by proof 2) 
g(x,y) - if Px then y else g(Fx,Gy) 

Proof 2 

We want to prove Gf(Fx,y) = f(Fx,Gy) 

define h = \x.\y. if Px then Gy else Gh(Fx,y) 

Gf (Fx,y) = G(if Px then y else Gf(FFx,y)) 

= if Px then Gy else GGf(FFx,y) 

= >^x.\y. Gf(Fx,y))(x,y) 

f(Fx,Gy) = if PFx then Gy else Gf(FFX,Gy) 

= ^(^x.V. f(Fx,Gy))(x,y) 
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2.5 Recursion Induction and Structural Induction 

Since, as seen in section 2.2, structural induction and truncation 
induction are so similar, the relation between recursion induction and 
structural induction should not be very different from that between re- 
cursion induction and truncation induction with respect to the appropri- 
ate class of programs. There are a few additional observations which can 
be made, however, about Burstall's treatment of these methods in his 
paper . 

Burstall defines structural induction first as induction on complex- 
ity of data structures for which there are constructor functions, se- 
lectors and decidable predicates. He then explains that in its full gen- 
erality structural induction actually applies to programs on any domain 
which satisfies the minimum condition and for which the computations pro- 
ceed in accordance with the decreasing order of arguments. We have used 
these definitions in this general sense in many of our examples. Burstall 
does not, however, really explore structural induction in its fullest gen- 
erality in his paper. Every one of his examples is of the type (corre- 
sponding to those of section 2.4) which translates simply into a recur- 
sion induction proof. The induction is always simple, taking advantage 
of only one stage in the fixpoint construction (or in the structural or- 
dering). It seems that his conception of structural induction was really 
quite a bit narrower than his own definitions indicate, as he only makes 
use of one level of recursion in each proof. This would explain why, as 
Burstall mentions without details at the start of his paper, McCarthy 
was able to give a very simple and convincing argument that structural 
induction is just a special case of recursion induction. As Burstall 
uses it, that is exactly what it is, a straightforward rewriting of the 
proof being enough to change from proof by one method to the other. 
While the transformation is possible, in general it is not a mechanical 
process, but depends heavily on the extent to which the structural induc- 
tion proof was restricted to forms closely compatible with recursion in- 
duction. By the parallels drawn between structural induction and trunca- 
tion induction we know that a structural induction proof can depend on 
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application of the inductive hypothesis at lower levels of recursion 
and that some study may be required to draw out the computational struc- 
ture and associated conditional forms relevant to a recursion induction 
proof. 

To illustrate let's look at two proofs of f(x,y) = g(x,y) by 
structural induction where f and g are the following interpreted ver- 
sions of our familiar example. 

f (x,y) = if x = then y else f (x-l,y) + 1 

g(x,y) = if x = then y else g(x-l,y+l) 

The ordering on the domain is (x^y^ (x 2 ,y 2 ) iff x l < x 2 

The first proof is by structural induction with preference for style of 

recursion induction 

f(x,y) s if x = then y else f (x-l,y) + 1 

= if x = then y else g(x-l,y) + 1 

(by induction) 

g(x,y) = if x = then y else g(x-l,y+l) 

= if x = then y else g(x-l,y) + 1 

(by proof of g(x,y) + 1 = g(x,y+l) 

g(x,y) + 1 = if x = then y + 1 else g(x-l,y+l)+l 

= if x = then y + 1 else g(x-l,y+2) 

(induction) 

g(x,y+l) = if x = then y+1 else g(x-l,y+2) 

This second proof of f(x,y) = g(x,y) is carried out just as in the uninter- 
preted case by truncation induction 

f (x,y) = if x = then y else f (x-l,y) + 1 

= if x = then y else g(x-l,y) + 1 
= if x = then y else if x - 1 = then y + 1 

else g(x-2,y+l) + 1 



-49- 



= if x = then y else if x - 1=0 then y + 1 else 

f(x-2,y+l) + 1 
= if x = then y else f (x-l,y+l) 
= if x = then y else g(x-l,y+l) 
= g(x,y) 

This proof uses the induction hypothesis f(x',y') = g(x',y') for all 
(x',y') (<T) (x,y) more generally than the previous proof did. The first 
proof clearly lends itself more easily to reinterpretation as a recursion 
induction proof. 

As we said before, no proof of Burstall's in illustration of his 
definitions uses the induction hypothesis more than once. It seems that 
if he had to describe his conception of recursion it would be more like 
a u-rule theory explanation than like a truncation induction one. The 
reason why he still needs to define his rule with course-of-values type 
induction rather than simple induction is that his only requirement of 
the computation with respect to the structure is that successive calls have 
less complex arguments, but this decrease in complexity is not restricted 
to comply with some notion of one stage in structure composition. So al- 
though Burs tall probably didn't envisage uses of induction at more than 
one computation level, he did see the need for course-of-values induction 
due to the kind of programs he was concerned with. 
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Chapter 3. Some Comments on Program Verification 

An automatic program verifier is a system for proving correctness 
of programs. Assuming that the programmer has use of a language for in- 
dicating the intended meaning of his program, the proof of correctness 
will consist of a proof that the program does indeed realize this inten- 
tion. If this statement of intention is viewed as a second program, then 
the proof is in fact a proof of the equivalence of this program and the 
original one. Thus it is very likely that the techniques developed for 
proving equivalence of functions will be useful in work on program veri- 
fication. 

A program verifier will have to draw on several sources for its power. 
It is a theorem prover, the theorems it proves being in the form of equal- 
ities between a function definition and certain input-output specifica- 
tions. To prove these theorems, the verifier must have a store of 
facts -- axioms and induction rules, perhaps some previously proved 
theorems -- to work with. These facts will be roughly of two sorts, some 
about the subject matter of the program's computations, and others about 
the abstract structure of computations. For example, a program verifier 
for geometry programs will be capable of proving theorems in geometry, 
while a verifier for arithmetic programs will be capable of proving the- 
orems about numbers. But regardless of interpretation of the programs, 
if a program involves recursion, or iteration, in its computations the 
verifier will have to encompass a theory of computation with some rule of 
inference for dealing with the recursive computation structure. It is the 
need to get a handle on this part of the verifying process which has led 
to the study of uninterpreted schemas and which justifies their abstrac- 
tion from the more concrete interpreted programs. If you look again at 
any of the interpreted function definitions which we have used for exam- 
ples, you will see the obvious distinction between the steps justified by 
a theory of recursive schemas and those justified by the theory of the field 
of interpretation. An automatic verifier would have to handle both types 
of inferences to complete a proof. 
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Only the theories of computational structure as implied by certain 
rules of inference are being examined here. Since one of the chief goals 
of the theory of computation is finding means for automatic program veri- 
fication, along with means of analysis or debugging aids to correct pro- 
grams which are found to be incorrect, it is of interest to evaluate the 
methods we have been studying in terms of their applicability to the 
achievement of this goal. Some of the qualities desirable in a proof 
technique can be formulated now, though it is still a matter of specula- 
tion as to which will be most significant in determining final choices. 
To maximize the information gained from verification, the structure of the 
proof should reflect the structure of the computation. Should the proof 
fail to go through, it would be helpful to be able to identify the partic- 
ular part of the function definition which diverged from the intention. 
And, of course, it must be possible to carry out the proof mechanically, 
or with some limited amount of help from the programmer. It is interesting 
at this point to see how the language and techniques defined in previous 
chapters hold up in light of these criteria. 

First some thought must be given to how to write programs and cor- 
rectness conditions. Programming style will undoubtably be influenced by 
decisions about how a program verifier is to be constructed. For example, 
if a programmer has written a long program which is supposed to compute a 
known mathematical function he might give the verifier his program and the 
function as stated concisely in the notation of mathematics. However, the 
verifier may need some help in understanding how the various sections of the 
program actually contribute to the computation of the function. Rather than 
expecting to find grounds for comparison between a function definition as 
an indivisible unit and a concise formulation of the intention, it will be 
more reasonable to try to indicate conditions for sections of the program. 
These sections will be shown to satisfy their subconditions and then 
by considering the interaction of these sections, which are already known 
to be correct, the entire program will be proved correct. This type of 
commenting on the program will most likely coincide with the writer's own 
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under standing of the program. While in many cases the programmer could 
state some concise relation between input and output representing his 
intentions for the operation of the program, in a program of any length 
or complexity he will understand the program as an interaction of sub- 
programs each satisfying a condition necessary for meeting his final in- 
tention. These expressions of his intuitions into the workings of a com- 
putation by the program will then serve not only as justifications of the 
entire program but of all its parts. It will also make it easier to prove 
correctness of a slightly modified version of the program, since now it 
is sufficient to combine proof of correctness of a small part with the 
known correctness of the original program. 

It may be necessary, given information about solvability of equiv- 
lence problems for different classes of programs, for a programmer to 
learn to think differently about programs, molding his approach to solving 
problems to the form of the language in which he will eventually state the 
solution. For example, the use of goto statements is known to make proof 
of equivalence of programs more difficult. However there are no programs 
written using goto statements, which cannot be rewritten without them. The 
program writing language used throughout this thesis, namely conditional 
statements, is powerful enough to express any program which could be 
written with goto expressions (even more powerful [10]). Many people orig- 
inally learn to program in Fortran, or some such language, using goto 's, 
and consequently feel that the goto is too useful to sacrifice. Yet those 
who learn to use a language like Lisp, find that they very quickly adopt 
a new approach to solving problems as the most natural. It is likely that 
as the prospects for having automatic program verifiers become better, 
through greater facility with proof techniques, the cost of this sort of 
restriction of programming style will begin to seem small as compared to 
the possible advantages to be had if a program verifier could be imple- 
mented. 

We can find in the examples worked in previous chapters some cases 
illustrating the degree to which a proof may or may not reflect the more 
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obvious intuitive arguments for equivalence of definition. Clearest is 
the comparison of the several proofs of equivalence of 

f(x,y) == if Px then y else Gf (Fx,y) 

g(x,y) = if Px then y else g(Fx,Gy) 

As noted earlier, the equivalence of f and g is most simply explained by 
the fact that in one case Gy is computed at each step in the evaluation 
and in the other the number of such computations is counted and all of 
them are done at the end. This explanation forms the basis for a recur- 
sion induction proof (and seems to be the most obvious choice for 
proceeding by u-rule), but is completely lost in the truncation induction 
proof given in Morris [7] (Example 1 of section 2.3). For the purposes of 
following the writer's reasoning as closely as possible, allowing his com- 
ments to aid in proof, and of breaking up the proof into more manageable 
subproofs (examination of the proofs will reveal that this is another re- 
sulting difference in form), the former methods seem preferable. 

It is possible, however, that efforts to mechanize this process will 
show reason to favor truncation induction. It may not be reasonable to 
expect to reflect human understanding directly in a computer system. Then 
a system which works blindly to the same end may be the only choice. The 
fact that with truncation induction a proof of the equivalence of f and g 
can be obtained without any real understanding of the functions may turn 
out to be a very good reason for choosing truncation induction over other 
methods. A basis for mechanical proof might be some generalization of the 
following simple non-deterministic algorithm by which the reader should 
be able to show the equivalence of f and g as defined above and as proved 
in section 2.3. 



Defn. 1. f.(x,y) = -^(f^) (x,y) 
Defn. 2. g.(x,y) = x$(g. ^ (x,y) 



To prove f^x.y) = g i (x,y) 

assume f (x,y) = g . (x,y) for all j < i 

Start with f . (x,y) =* X 
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2. If X = g-^Xjy) go to End else go to 3a, 3b, 3c, 3d, 3e, or 3f. 

3a. If X contains J<(f)(x,y) for j < i, substitute f -(x.y). 
Go to 2. 

3b. If X contains y^/(g.(x,y)) for j < i substitute g 1 (x,y). 
Go to 2. 

3c. If X contains f . substitute y*(f ) (x,y) . 
Go to 2. 

3d. If X contains g. substitute j|f(g ._.) (x,y) . 
Go to 2. 

3e. If X contains f . i < i substitute g . 
Go to 2. 

3f. If X contains g j < i substitute f .. 
Go to 2. 

Assuming that by pattern matching the test for containment of a certain 
form in the arbitrary form X can be performed (distribution of functions 
over conditions, and such operations would have to be included), this al- 
gorithm will go through all possible sequences of valid inferences until 
it finds the desired identity. The sequence 

0, 1, 2, 3c, 2, 3e, 2, 3d, 2, 3f, 2, 3a, 2, 3e, 2, 3b, 2, End. 

corresponds to the proof of section 2.3. 

If our programs are meant to operate on structured data, then struc- 
tural induction will be a very natural tool to use. Probably anyone 
writing a program with a structure in mind is thinking in terms of per- 
forming operations on successive substructures -- this is the kind of 
thinking which develops with a language like Lisp. Also, in practice, a 
programmer will not want to write a program which might run forever for 
some input. If he is not sure that he is performing a calculation guaran- 
teed to halt, then he will impose some artificial constraint on the pro- 
gram forcing halting in all cases. Therefore, any real program will have 
an ordering on its input, forcing convergence on a known domain. We 
could then say that for all practical purposes it is only necessary to 
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handle total functions, and perhaps then structural induction will turn 
out to be most useful. 

In some cases, it may be necessary for the theorem prover for the 
field of interpretation to check that this ordering is indeed one which 
satisfies the minimum condition, a consideration outside the range of 
uninterpreted schematology . In a practical debugging system, however, 
we would want to check for the possibility that the programmer had erred 
in writing in a way which might allow infinite computation for some argu- 
ments. For this reason it might be advisable to carefully separate proof 
of equivalence where defined and proof of convergence, making a proof 
technique which assumes nothing about convergence the more desirable. 

We are not prepared here to judge which will be the overriding cri- 
teria for the choice of method of automatic program verification, but hope 
we have indicated some of the possible bases for judging these methods, 
perhaps some justification for the independent study of program schema, 
and areas for future work. 
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Chapter 4. Conclusion 

Of the four methods, recursion induction alone imposes any real re- 
strictions on the kinds of steps we can take in proofs. This is due to the 
fact that the view of function definition taken by the user of this 
method (whether he knows it or not) is that a definition is a monotonic 
mapping, but may or may not be continuous. Therefore, he ignores some 
of the information that could be used to compare these functions, partic- 
ularly the alternative definition of fixpoint, available for monotonic, 
continuous functions. The intermediary goals to be set up for performing 
a proof will be in the forms both of desired subproofs and in the dis- 
covery of alternative conditional forms which represent the common compu- 
tation structure of the functions being compared. After finding a Valid 
proof some unsettled questions about domains of function might be left 
when they could have been avoided with other techniques. 

As for the three other methods, we have seen that while all three 
make identical claims about functions, they do so from such varying points 
of view as to effectively become different techniques. For someone working 
with structured data, structural induction provides proof justifiable on 
the basis of facts about the data apparently requiring no insight into the 
computation of recursively defined functions. The user of the u-rule is 
more likely to break down his proofs into subproofs which make explicit 
all the identities he is actually proving, while the user of truncation 
induction, who presumably understands what the fixed point of a recursive 
definition looks like, will probably carry on a chain of expansions by 
definition and calls on the induction hypothesis, losing sight of sub- 
goals as he proves the primary hypothesis. 

We find ourselves then, with four seemingly different techniques — 
and they are different in the following sense: For any particular problem 
one of these views will probably seem more natural or illuminating than 
the others and will facilitate a proof by induction. This proof, however, 
could in principle be carried out by any one of these methods. 
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Once a thorough understanding of the available methods of proof is 
obtained, the programmer will find it to his advantage to plan ahead for 
times when he may need to prove facts about his programs. The way he 
originally writes a program may affect his choice of proof techniques 
later. The development of mechanical program verifiers will require re- 
strictions on the style of programming to fit the method of verification. 
In the preceding chapters it was seen both how the choice of method can 
eventually influence a programmer's conception of recursion and how the 
interpretation of recursive definitions, or of the domains of recursive 
programs, may influence his choice of proof technique. Future work in 
program verification may further influence and be influenced by these 
choices . 



-58- 



Appendix 

A. Theorem: If c monotone 
then 



1. c(conv(c)) = conv(c) 

2. conv(c) = fl (mjc(m) = m}. 



Proof: 



1. a. Suppose c(m)£ m, then conv(c) cm (section 1.4 (2)). 
c(conv(c)) £ c(m) since c monotone, but c(m) £ m by- 
hypothesis, so c(conv(c)) £ m. This holds for all 
m € (m|c(m) £ m} 
.'. c(conv(c)) Cfl (m|c(m) cm} 
= conv(c). 

b. From a, c(conv(c)) £ conv(c) 

c(c(conv(c))) £ c(conv(c)) 
since c monotone 
so conv(c) £ c(conv(c)) (by 1.4 (2)). 

2. a. From defn conv(c) = (mjc(m) £ m} £ U fm|c(m) = m} 

b. From 1 conv(c) = c(conv(c)) 

conv(c) £ (m|c(m) = m} so conv(c) 2 fl (m|c(m) - m} 

B. The following, suggested by Paterson, is a definition outside the class 
C(^f)as an example of a non-continuous function. 

£?(f) = \x.if x = 1 then if f defined for all even numbers then 1 

else undefined 
else undefined 
s° 6(f) la a function g, undefined everywhere except possibly at x =» 1 
and d (f)(1) - 1 iff f(x) defined for all even x. 

Let us try to apply the test for continuity that for all 

m. £ m. £ . . . 



C [ & \) • u t <?<V 



,;i | ' ! ■ , f . s (-■ r i (.. s nf f ! i T1 c (-■ j n t ; q 



('■.} 1 ) 



'■■J,l W2,!.^ - f(0,n,r2,] 1,(3,1)) c; 



V : 



! J 1 



(it 
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